Communication method with encryption key escrow and recovery

ABSTRACT

Communication process with key encryption escrow and recovery systems.  
     The entity participating in a communication session generates a session key (SK) through a pseudorandom generator that is initiated by the entity&#39;s secret key and an initial value (IV). The session key codes the message. The escrow authority that files the secret code may recover the message and the initial value (IV).  
     Application to secure communication systems.

TECHNICAL FIELD

[0001] The object of the present invention is a communication process, which allows for key encryption escrow and recovery operations. These operations guarantee one or several previously determined bodies (for example, a security administrator of a company network, a trusted third party, and in certain cases, actual users of an encryption system) the possibility to recover, if need be, the session key used during communication on the basis of exchanged data. The possibility to recover a session key may arise from a requirement to legally intercept or recover keys within a company.

[0002] The invention has an application in secure communication services.

STATE OF THE PRIOR ART

[0003] There are essentially two types of key escrow/recovery techniques that guarantee one or several escrow authorities the ability to rebuild, from data exchanged during communication between two speakers or entities a and b, the session key used in order to decode this communication. These two types of techniques may be implemented without any data exchange occurring during each communication between the entities and the escrow authority or authorities (process known as “off line”).

[0004] Type 1: Filing of static keys to distribute keys with an escrow authority.

[0005] This type of technique is applied to systems where a session key established between speakers uses a key exchange protocol that relies on ownership by one of the speakers (for example, b) of a secret static key (in other words, that is not renewed at each session). The secret key used by b in the key exchange protocol is filed with an escrow authority (or distributed amongst several escrow authorities). Ownership of this secret allows the escrow authority (or authorities) to rebuild, if necessary, every key session exchanged between a and b from messages used in the protocol to establish this key. An example of this key escrow and recovery method is offered in the article “A Proposed Architecture for Trusted Third Party Services” by N. Jefferies, C. Mitchell and M. Walker, that appeared in “Lecture Notes in Computer Science 1029, Cryptography Policy and Algorithms Conference”, pp. 98-104, Springer Verlag, 1996. It is one of the principal methods within this first type of techniques, which is currently being considered in Europe.

[0006] Type 2: Recovery of dynamic encryption keys (session keys) through legal fields.

[0007] As opposed to the previous technique, this second type of technique does not require prior filing of the secret static keys used during the exchange of session keys, but rather the insertion of one or several legal fields within the messages exchanged between a and b during a secure communication, containing information on the session key SK in a format intelligible only to the escrow authority. The session key SK (or information on this key) may, for example, be coded using the RSA public key of an escrow authority. The “Secure Key Recovery” (SKR) protocol, suggested by IBM, is included in this type of techniques.

[0008] These two types of techniques present certain drawbacks for the protection of open applications that may wish to be used between speakers in different countries or separate jurisdictions, as for example with secure electronic mail systems. When a secure application is likely to be used for international communication, the following two conditions should be fulfilled:

[0009] (i) For all relevant communications, each country must be free to implement, or not, a key escrow/recovery system for this application.

[0010] (ii) For each country with a key escrow/recovery system in place, authorities entitled to recover, if necessary, session keys for coding an international communication, need to be able to do so without having to cooperate with authorities in other countries for each interception.

[0011] Thus, the aforementioned known techniques do not fulfil, if only partly, the following conditions:

[0012] For processes of the first type, when the distribution method of the relevant session key comes from the public key encryption (in particular the RSA encryption used here in a large amount of security products), recovery of the session key in a communication is only possible, without international cooperation in the country where the secret key used for key distribution was filed. This problem has led certain authors (cf. the aforementioned N. Jefferies et al article) to advocate key escrow/recovery systems that rely on a more symmetrical key exchange method similar to the Diffie-Hellman outline. These systems fulfil the previous condition (ii) and could possibly, on the basis of certain adaptations, fulfil condition (i) yet they present strong constraints on the key distribution method used that notably excludes the use of the RSA algorithm.

[0013] For processes of the second type, key recovery in the country of destination using legal fields relies on the transmitting country establishing a key escrow/recovery technique that is adapted to the country of destination, namely the transmission of legal fields intelligible to the escrow authorities of the country of destination. This constraint contradicts the previous condition (i).

[0014] The D. E. Denning article “Descriptions of Key Escrow Systems” published in “Communications of the ACM”, vol. 39, n°3, March 1996 and the D. E Denning and D. K. Branstad article “A Taxonomy of Key Recovery Encryption Systems” published in “Communications of the ACM”, vol. 39, n°3, March 1996 both provide a description and a comparative analysis of more than thirty key escrow and recovery systems.

[0015] We may limit ourselves to two examples illustrated in the attached FIGS. 1 and 2.

[0016] Firstly, FIG. 1 shows two entities a, b each fitted with cryptography means (not shown) and each equipped with an identity Id_(a), Id_(b), with a public key and a secret encryption key respectively P_(a), P_(b) and S_(a), S_(b), as well as a certificate C_(a), C_(b). Further, two escrow authorities T_(a) and T_(b) related to two entities a and b, where these two authorities each file secret keys S_(a), S_(b) of the relevant entities and their certificates C_(a) or C_(b). The certificates attest to the relation between the secret key and the public key, and the correct filing of the secret key. The certification authority is not shown on this figure. The certificate may conform to recommendation X509 of the UIT-T.

[0017] The communication process between these different means includes the following operations:

[0018] A) Entity a that engages in a transmission session of a message M:

[0019] ChecSK the validity of certificates C_(a) and C_(b).

[0020] Produces a session key SK to implement a pseudo-random generator (not shown).

[0021] Uses its cryptography facilities to code the session key SK with the public key P_(b) of the other entity and codes message M with the session key according to a symmetric encryption algorithm.

[0022] Transmits its identity ID_(a) or its certificate C_(a), the encrypted session key P_(b)(SK) and the coded message E_(SK)(M)

[0023] B) Entity b, that receives the transmission:

[0024] ChecSK the validity of certificates C_(a) and C_(b).

[0025] Recovers session key SK by using its secret key S_(b).

[0026] Decodes message M by using the session key SK.

[0027] With such a process, the escrow authority T_(b) may, if desired, also recover the session key SK with the aid of the secret key S_(b) which it filed and may thus also recover the transmitted message.

[0028] This process presents a drawback, namely, if the escrow authority T_(b) may recover the session key SK (since it filed the secret key T_(b)) and therefore the transmitted message, the case is different for escrow authority T_(a) since it does not have the secret key S_(b). Cooperation between escrow authorities T_(a) and T_(b) must therefore be accounted for which is rare in the case of international communication.

[0029] This difficulty comes especially from the fact that the key exchange process resorts to an unsymmetrical encryption-decryption system that uses a pair of keys, respectively public-secret, as for example with RSA encryption. Certain authors advocate more symmetrical processes similar to a protocol known as Diffie-Hellman. This process is illustrated in FIG. 2. The means found here are noticeably similar to those in FIG. 1, namely two entities a and b, and two escrow authorities T_(a) and T_(b). Parameters of the Diffie-Hellman protocol consist of a large prime number p, known as a module, and a generator number g. The two escrow authorities T_(a) and T_(b) are associated with these numbers p and g. The secret key S_(a) for a is a secret exponent * which is filed in T_(a) and the public key for a is P_(a)=g*. Certificate C_(a) contains the public key P_(a)=g*. The same applies to entity b, namely (S_(b)=β, P_(b)=g^(β)).

[0030] In order to send a message to entity b, entity a generates a session key SK and addresses b with the following:

[0031] Its certificate C_(a) (which contains Pa=g*).

[0032] The session key coded with an algorithm E using key g*^(β) (Eg*^(β) (SK)).

[0033] The message coded by the session key SK (E_(SK)(M))

[0034] Knowledge by T_(a) of * and the public key P_(b)=g^(β) of b allows T_(a) to calculate (g^(β))=g^(β)*. This also applies to T_(b) which can calculate (g*)^(β)=g^(β)*. Thus, g*^(β) is shared by a and b.

[0035] Each authority T_(a) and T_(b) may therefore recover the session key (SK) and similarly the message (M).

[0036] But, here again, the outline calls for an agreement between both parties.

[0037] The aim of the present invention is to remedy these drawbacks by suggesting a process which does not require any agreement between communicating parties, where the recovery of the session key and the message may be done by using only the data exchanged in the communication.

DESCRIPTION OF THE INVENTION

[0038] Precisely, the object of the invention is a communication process coded with key encryption escrow and recovery systems, by implementing:

[0039] A first entity (a) consisting of the first cryptography means (MC_(a)) and equipped with a first identity (Id_(a)), a first public key for key distribution (P_(a)) and a first secret key for key distribution (S_(a)) that corresponds to said first public key (P_(a))

[0040] A second entity (b) consisting of the second cryptography means (MC_(b)) and equipped with a second identity (Id_(b)), a second public key for key distribution (P_(b)) and a second secret key for key distribution (S_(b)) that corresponds to said second public key (P_(b)).

[0041] In that this process consists of:

[0042] (i) A preliminary phase to establish a session key (SK) phase in which at least one of the entities (a, b) produces a session key (SK) and forms a cryptogram consisting of this key coded by the public key (P_(b), P_(a)) of the other entity, where the other entity (b, a) decodes said cryptogram with the aid of its secret key (S_(b), S_(a)) and recovers the session key (SK).

[0043] (ii) An exchange of messages (M) phase in which the entities (a, b) form cryptograms ESK(M) consisting of messages (M) coded by the session key (SK) that is established in the preliminary phase, where each entity decodes the received cryptogram with the aid of the session key (SK) and thus recovers the message it has been sent.

[0044] This process is characterised in that:

[0045] It further implements at least one escrow authority (T_(a), T_(b)) associated with one of the entities (a, b), where this authority files the secret key (S_(a), S_(b)) of the related entity (a, b).

[0046] In the preliminary phase, the entity (a, b) that produces the session key (SK) implements a pseudorandom generator (PRG_(a), PRG_(b)) known by the related escrow authority (T_(a), T_(b)) and initiates this pseudorandom generator with the aid of its secret key (S_(a), S_(b)) and an initial value (IV) deduced from relevant data by an algorithm known by the escrow authority (T_(a), T_(b)).

[0047] According to an application mode, the escrow authority (T_(a), T_(b)) associated with the entity (a, b) that produces the session key (SK) in the preliminary phase, implements a pseudo-random generator identical to that of the related entity (PRG_(a), PRG_(b)), initiates this generator with said initial value (IV) and the secret key (S_(a), S_(b)) of the related entity (a, b) that it filed, and thus recovers the session key (SK).

[0048] According to another application mode, the escrow authority (T_(b), T_(a)) associated with the entity (b, a) that has not produced the session key (SK) in the preliminary phase, decodes the cryptogram of the session key (P_(b)(SK), P_(a)(SK)) with the aid of the secret key (S_(b), S_(a)) of the related entity (b, a) that it filed, and thus recovers the session key (SK).

[0049] The initial value (IV) may either be deduced from data exchanged between entities a and b in the preliminary phase to establish the session key, or obtained from successive trials using data capable of generating a given number of values, where this number is sufficiently limited for the time taken by the escrow authority to be compatible with the considered application.

[0050] As explained in the introduction, the escrow authority may be an authorised third party, or a security administrator of a company network, or even the actual user (the escrow is therefore a “selfescrow”).

BRIEF DESCRIPTION OF DRAWINGS

[0051]FIG. 1, already described, illustrates a process known as asymmetric.

[0052]FIG. 2, already described, illustrates a process known as symmetric.

[0053]FIG. 3 illustrates in a diagram a process according to the invention.

DESCRIPTION OF PARTICULAR APPLICATION MODES

[0054] The invention process may be described by first specifying certain initial conditions, subsequently outlining the procedures developed in the user's cryptology means, and finally describing the procedure of key recovery.

[0055] A. Initial Conditions

[0056] The secret key S_(a) of the key encryption system with public key used by entity a in order to establish session keys is filed with escrow authority Ta. Delivery of certificate C_(a), attesting to the relation between identity Id_(a) of a and public key P_(a) (for example a certificate that conforms to recommendation X509 of the UIT-T) to a by a certification authority CA designated in advance by T_(a), must be subject to this filing. Possession by a of a certificate from CA proves that filing with T_(a) of the secret key S_(a) corresponding to public key P_(a) effectively occurred. In practice, the certification authority CA and the third party escrow Ta may be one and the same body, or two separate bodies having signed an agreement. According to circumstances, generating the secret key S_(a) may be done by user a or a third party T_(a).

[0057] B. Procedures in the User's Cryptology Means

[0058] “Cryptology means of a”, noted as MC_(a), is understood to be the software and material resources enabling cryptographic calculations to establish a session and encryption key for a during a secure communication. For example, the client software of a secure electronic mail system may be considered a cryptology means.

[0059] In order for the user's cryptology method MC_(a) to conform to the third party escrow service provided by T_(a), it must fulfil the following conditions:

[0060] (i) Performance of MC_(a) encryption functions (to establish a session, encryption key) must be subject to presence of a certificate C_(a) from a certification authority CA designated by T_(a) and the corresponding secret key S_(a). The encryption method MC_(a) must not only check that the certificate C_(a) is valid, but that there is also an effective relation between the secret key S_(a) and the public key P_(a) contained within T_(a). These checks are necessary to ensure that the third party escrow T_(a) is able to recover the session keys used by MC_(a).

[0061] (ii) The process to generate keys implemented by MC_(a), typically the algorithm to generate keys used to generate a session key SK when a initiates a secure session with speaker b, must be a pseudo-random generator PRG known by T_(a), and whose seeds, namely the entries from which the values of the generators are calculated, consist of:

[0062] The secret key S_(a) (or, according to a variant, a function H(S_(a)) of this key.

[0063] An initial value IV deduced from variable data by an algorithm known by T_(a) and contained within the non-coded portion of communications between a and its speakers (for example, the date and time), or from a meter controlled from within MC_(a).

[0064] The pseudo-random generator must fulfil the following conditions:

[0065] (i) The exit value of this generator (typically the session key SK) must be easy to deduce from S_(a) (or H(S_(a))) and the initial value IV. According to a preferred production mode, the size of the initial value IV may be limited to an effective size between 20 and 40 bits, so that, when the secret key S_(a) is known, recovery of the generator's exit value remains possible through exhaustive research even when the exact value of IV is lost.

[0066] (ii) Information on S_(a) (or H(S_(a))) must be difficult to predict from the set of values of IV and the corresponding exit values of PRG(S_(a), IV) or PRG(H(Sa), IV).

[0067] (iii) Information relating to exits PRG(S_(a), IV) or PRG(H(S_(a)), IV) for the different values of IV must be difficult to predict when the value S_(a) (or H(S_(a))) is not known.

[0068] C. Procedures of Key Recovery

[0069] There are two separate procedures for key recovery of the session key SK used to code a secure communication between user a and receiver b by T_(a), or an authority entitled to access secret S_(a) filed by T_(a), which are as follows:

[0070] (i) If the session key SK is produced by b and received by a and coded with the aid of public key P_(a) of a, then T_(a) may recover key SK by decoding the cryptogram P_(a)(SK) transmitted in the key distribution protocol with the aid of the filed secret S_(a).

[0071] (ii) If the session key SK is produced with the cryptology method of a and sent to b coded under the public key P_(b) of b, then T_(a) may recover the initialisation value IV from the simple exchanged data between a and b and rebuild the SK value with the aid of IV and the filed value of S_(a), by the calculation SK=PRG(S_(a), IV) or SK=PRG(H(S_(a)), IV). In the cases where IV is the meter content or where the effective size of IV is limited or, for whichever reason, IV may not be recovered from the simple data, it is still possible for T_(a) to recover the session key SK through an exhaustive test of possible IV values by checking whether the value SK=PRG(S_(a), IV) or SK=PRG(H(S_(a)), IV) obtained for each is the right one.

[0072] By combining the basic procedures (i) and (ii) defined above, T_(a) is still able to recover the session key in the case where a more complex protocol to establish the session key is used between a and b. By way of example, we may consider the following protocol: b generates a secret value SK1 and transmits it to a coded under the public key P_(a) of a; a generates a secret value SK2 and transmits it to b coded under public key P_(b) of b; a and b calculate the session key SK that is equal OR exclusive to values SK1 and SK2 (SK=K1 XOR K2). With a protocol of this type, T_(a) would be able to recover SK1 by using procedure (i) defined above and recover SK2 by using procedure (ii), and therefore, from these two values, recover SK.

[0073] The process that has just been described may be implemented according to variants in which information pertaining to secret key S_(a) is not filed with a sole entity T_(a), but divided into two “parts” which are filed with separate third party escrow authorities.

[0074] For example, the secret key S_(a) of a may consist of a secret RSA exponent d. This secret may be divided into two “parts” d1 and d2 such as d1+d2=d. Two escrow authorities T_(a) and T_(b), respectively responsible for filing d1 and d2 (and the public module n_(a) of a), are able:

[0075] To check, without disclosing their part of secret d, that they are effectively capable of calculating the secret function of key S_(a). In order to do this, each of them must calculate module n, the power of entry value determined by its part, and for the resulting values to be subsequently multiplied amongst them as module n_(a).

[0076] To recover a session key SK from data of the protocol to establish this key (by disclosing, if necessary, to the other third party or an interception authority their part of key S_(a)). 

1. Communication process coded with encryption key escrow and recovery systems implementing: A first entity (a) consisting of the first cryptography means (MC_(a)) and equipped with a first identity (Id_(a)), a first public key for key distribution (P_(a)) and a first secret key for key distribution (S_(a)) that corresponds to said first public key (P_(a)). A second entity (b) consisting of the second cryptography means (MC_(b)) and equipped with a second identity (Id_(b)), a second public key for key distribution (P_(b)) and a second secret key for key distribution (S_(b)) that corresponds to said second public key (P_(b)). In that this process consists of: (iii) A preliminary phase to establish a session key (SK) phase in which at least one of the entities (a, b) produces a session key (SK) and forms a cryptogram consisting of this key coded by the public key (P_(b), P_(a)) of the other entity, where the other entity (b, a) decodes said cryptogram with the aid of its secret key (S_(b), S_(a)) and recovers the session key (SK). (iv) An exchange of messages (M) phase in which the entities (a, b) form cryptograms ESK(M) consisting of messages (M) coded by the session key (SK) that is established in the preliminary phase, where each entity decodes the received cryptogram with the aid of the session key (SK) and thus recovers the message it has been sent. This process is characterised in that: It further implements at least one escrow authority (T_(a), T_(b)) associated with one of the entities (a, b), where this authority files the secret key (S_(a), S_(b)) of the related entity (a, b). In the preliminary phase, the entity (a, b) that produces the session key (SK) implements a pseudorandom generator (PRG_(a), PRG_(b)) known by the related escrow authority (T_(a), T_(b)) and initiates this pseudorandom generator with the aid of its secret key (S_(a), S_(b)) and an initial value (IV) deduced from relevant data by an algorithm known by the escrow authority (T_(a), T_(b)).
 2. Process in accordance with claim 1 above in which the escrow authority (T_(a), T_(b)) associated with the entity (a, b) that produces the session key (SK) in the preliminary phase, implements a pseudo-random generator identical to that of the related entity (PRG_(a), PRG_(b)), initiates this generator with said initial value (IV) and the secret key (S_(a), S_(b)) of the related entity (a, b) that it filed, and thus recovers the session key (SK).
 3. Process in accordance with claim 1 above, in which the escrow authority (T_(b), T_(a)) associated with the entity (b, a) that has not produced the session key (SK) in the preliminary phase, decodes the cryptogram of the session key (P_(b)(SK), P_(a)(SK)) with the aid of the secret key (S_(b), S_(a)) of the related entity (b, a) that it filed, and thus recovers the session key (SK).
 4. Process in accordance with any one of claims 1 to 3 above, in which the initial value (IV) is deduced from data exchanged between the entities (a, b) in the preliminary phase to establish the session key (SK).
 5. Process in accordance with claim 2 above, in which the escrow authority obtains the initial value (IV) through exhaustive tests from data that is capable of receiving a limited number of values.
 6. Process in accordance with claim 1 above, in which the pseudo-random generator (PRG_(a), PRG_(b)) of an entity (a, b) is initiated by a one-way function (H(S_(a)), H(S_(b))) of the secret key (S_(a), S_(b)) of this entity (a, b).
 7. Process in accordance with claim 1 above, in which at least one first certification authority (CA_(a), Ca_(b)) delivers a certificate (C_(a), C_(b)) attesting to the relation between the identity (Id_(a), Id_(b)) of the entity and the public key (P_(a), P_(b)) if and only if the filing of the corresponding secret key (S_(a), S_(b)) effectively occurred with the corresponding escrow authority (T_(a), T_(b)), in that the preliminary phase to establish a session key (SK) and the message exchange phase are, in the cryptology means (MC_(a), MC_(b)), both subject to the validity of the certificate (C_(a), C_(b)) and the effective relation between the public key (P_(a), P_(b)) contained in this certificate and the secret distribution key (S_(a), S_(b)).
 8. Process in accordance with claim 1 above, in which, for at least one of the entities (a, b), the certification authority (CA_(a), Ca_(b)) and the escrow authority related to this entity (T_(a), T_(b)) are combined under a single authority.
 9. Process in accordance with claim 1 above, in which the escrow authority (T_(a), T_(b)) is divided into two partial authorities (T_(a) ¹,T_(a) ²)(T_(b) ¹,T_(b) ²) each filing a part (S_(a) ¹,S_(a) ²)(S_(b) ¹,S_(b) ¹) of the secret distribution key (S_(a), S_(b)), in that neither of the two partial authorities is capable of rebuilding the secret distribution key (S_(a), S_(b)) on its own, but in that both partial authorities are capable of rebuilding the secret distribution key by cooperating, in that both partial authorities are able to ensure that they hold parts of the secret key that enables it to be rebuilt.
 10. Process in accordance with claim 1 above in which, during the preliminary phase to establish a session key: The first entity produces a first session key (SK_(a)), forms a first cryptogram P_(b)(SK_(a)) of this first partial session key (SK_(a)) coded by the public key (P_(b)) of the second entity (b), sends this first cryptogram to the second entity (b). The second entity (b) produces a second partial session key (SK_(b)), forms a second cryptogram P_(a)(SK_(b)) of this first partial session key (SK_(a)) coded by the public key (P_(a)) of the first entity (a), and sends this second cryptogram to the first entity (a). The two entities (b, a) decode the first and second cryptograms with the aid of their secret key (S_(a), S_(b)), recover the first and second partial session keys (SK_(a), SK_(b)) and form the session key (SK) from the partial session keys.
 11. Process in accordance with claim 10 above, in which the entities (a, b) form the session key (SK) through a logical OR exclusive operation between the first and second partial session keys (SK_(a), SK_(b)).
 12. Process in accordance with any one of claims 1 to 11, in which the escrow authority (T_(a), T_(b)) associated with one of the entities (a, b) is the entity user. 